Telegram Bot
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent could send messages, change bot settings, manage webhooks, or delete connections for the connected Telegram bot.
The skill exposes high-impact Telegram bot write and management actions, but it clearly discloses them and instructs confirmation before writes.
Send messages, manage chats, handle updates... **All write operations require explicit user approval.** Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Approve only specific, intended write actions; verify chat IDs, connection IDs, webhook URLs, and the expected result before allowing changes.
Anyone with access to the configured key could potentially act through the connected Telegram bot via Maton.
The skill requires a sensitive Maton API key and uses managed Telegram bot token access, which is expected for this integration but grants delegated account authority.
All requests require the Maton API key in the Authorization header... Authorization: Bearer $MATON_API_KEY... The `:token` placeholder is automatically replaced with your bot token from the connection configuration.
Keep MATON_API_KEY secret, use only trusted environments, limit access to connected bots, and rotate the key if it may have been exposed.
Bot messages, updates, media metadata, and command activity may be processed through Maton and any configured Telegram webhook destination.
Telegram bot data and actions are routed through the Maton API gateway. This is disclosed and purpose-aligned, but it means chat/update/media data crosses that external service boundary.
Base URL: https://api.maton.ai/telegram/:token/{method}... Access is scoped to messages, chats, media, and bot commands within the connected Telegram Bot API account.Use this only if you trust Maton and any webhook endpoints you configure; avoid routing highly sensitive chats unless that data flow is acceptable.
Users have less provenance information to independently verify the skill publisher or implementation beyond the registry metadata and referenced Maton endpoints.
The artifact does not provide an external source repository or homepage, although there is also no installable code or hidden helper present in the supplied artifacts.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Confirm that the Maton service and registry publisher are the intended provider before adding sensitive Telegram bot credentials.